IPsec is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec is an end-to-end security scheme operating in the Internet Protocol (IP) Layer of the Internet Protocol Suite. It can be used for protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Internet Key Exchange (IKEv1 or IKEv2) is a protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys may be derived. Public key techniques or, alternatively, a pre-shared key, may be used to mutually authenticate the communicating parties.
In a typical system, an IKE Key Manager (KM) is co-located on the same device as each of its dependent applications. This is also true of a typical high-availability (HA) system where the active KM and its active dependent applications are co-located on a same device. In the event of a device fault or application fault the KM and its dependent applications are re-assigned to a backup device and the previously active device is disabled, tested, and returned to service at a later time.
In a high-availability system, implementing an IPsec solution can be a complex task. Several data items are synchronized across two or more devices. Some data, such as application configuration data, is static in nature and is usually only distributed once to all devices and updated when modified by user request. Static data is relatively straightforward to synchronize across redundant devices. Other data is dynamic and usually involves more complex processing and interactions to synchronize in conventional systems.
Dynamic data is data that changes without direct user manipulation either on a per-packet basis or per-event basis. IPsec Security Association (SA) SPI values, sequence numbers, and key values are examples of dynamic IPsec data. A precondition to setting up an IPsec SA is the establishment of an Internet Key Exchange (IKE) SA. The generation of an IKE SA is triggered by a packet, sent by an application, which matches an IPsec Security Policy (SP) and which does not have a corresponding IPsec SA instance. The absence of an IPsec SA is the trigger to the KM to establish a new IKE SA if one does not already exist. Once the IKE SA is established it remains in the KM SA Database (SADB) until its configured lifetime has expired; typically in the order of days or weeks. Its purpose is to secure communications between the two nodes for the purpose of negotiating replacement IPsec SA instances as those instances expire at the end of their configured lifetime; typically in the order of hours or days.
Secondary to the task of negotiating replacement IPsec SA instances, the IKE SA is used in conventional systems to monitor the presence of the IKE SA at the far-end device. In this case, the absence of replies from the far-end device is considered a fault event and the child IPsec SA instances are deleted and secure communication is halted until a new set of IKE and IPsec SA instances can be negotiated.
As IKE SA instances are negotiated or refreshed their dynamic data is synchronized across the redundant devices. This task is usually straightforward when the KM is operated in a scenario in which the applications on a given device are either all active or all in standby mode. Data flows from one device to multiple devices, and since there is only a single master KM, complexity is greatly reduced.
There is currently no solution to efficiently provide high availability IKE SA instances in systems that do not conform to an all-active or all-standby per device model.